Eurail B.V., the Netherlands-based company that operates official online sales for Eurail and Interrail rail passes covering 33 national railways across Europe, has confirmed that attackers stole the personal information of over 308,777 individuals in a breach that occurred on December 26, 2025.
The disclosure, which arrived months after the incident, comes as stolen data has already been circulated on the dark web — raising the stakes for hundreds of thousands of affected travellers.
What Was Stolen
The breach exposed a broad range of highly sensitive personal data, with the scope extending well beyond typical contact information leaks:
| Data Category | Details |
|---|---|
| Identity | Full name, date of birth, age |
| Government ID | Passport or national ID number — including photocopies |
| Contact | Email address, postal address, phone number, country of residence |
| Financial | Bank account IBAN references |
| Health | Certain health-related data (primarily for DiscoverEU participants) |
| Technical | Source code, database backups, Zendesk support ticket contents |
According to a hacker who claimed responsibility for the attack, approximately 1.3 TB of data was exfiltrated, including internal source code and customer database dumps. The hacker stated that Eurail declined to engage in negotiations, prompting them to begin selling the data publicly.
DiscoverEU Program Impact
The breach had a particularly significant impact on participants in the DiscoverEU program — an EU initiative under the Erasmus+ umbrella that provides free or subsidized rail travel passes to young Europeans. DiscoverEU participants faced an even broader exposure:
- Photocopies of passport and national ID
- Full IBAN bank account numbers
- Health-related data collected as part of program eligibility
DiscoverEU issued its own separate advisory notifying participants that their data was likely included in the breach.
Timeline
| Date | Event |
|---|---|
| December 26, 2025 | Unauthorized access occurs — files transferred from Eurail's network |
| February 2026 | Hacker publicly claims the attack; 1.3 TB data listed for sale |
| February 25, 2026 | Eurail investigation concludes and confirms personal data exposure |
| March 27, 2026 | Eurail begins notifying affected individuals and state attorneys general |
| April 9, 2026 | BleepingComputer publishes breach report |
The gap between the December incident and the March notifications drew criticism from security observers. Eurail attributed the delay to the scope of its forensic investigation, which needed to determine exactly which individuals were affected.
Dark Web Activity
Eurail confirmed that stolen data has been actively offered for sale on dark web markets. A sample dataset was published on Telegram, and Eurail stated it is directly contacting individuals whose data appeared in the publicly released sample.
The hacker's claim to have stolen 1.3 TB is consistent with the range of data types described in the breach notice — a combination of customer databases, system-level data, and internal business records represents a significant volume for a travel operator of Eurail's size.
Regulatory Notifications
Eurail filed data breach notifications with attorneys general in California, New Hampshire, Oregon, and Vermont — states with proactive data breach notification laws that require companies to report when state residents are affected. The New Hampshire filing specifically identified 242 New Hampshire residents among those impacted.
Company Response
Eurail stated it has:
- Secured the affected systems and closed the exploited vulnerability
- Reset credentials across affected accounts and systems
- Enhanced security controls following the incident
- Established a dedicated call centre for affected individuals with questions
Recommendations for Affected Individuals
Eurail is urging affected individuals to take several precautionary steps:
- Passport reissuance — Contact the relevant passport-issuing authority to discuss reissuing your travel document, as passport photocopies were exposed
- Monitor bank activity — Watch for unauthorized IBAN-based transactions or direct debit setups
- Phishing vigilance — Be alert to unsolicited contacts claiming to be from Eurail or related services requesting personal details
- Email security — Watch for spear-phishing emails leveraging the exposed contact information
Eurail warned explicitly that it will never contact affected individuals to ask them to share personal information unsolicited.
Broader Context
This incident joins a growing list of travel sector breaches in recent years targeting both passenger data and loyalty program credentials. The combination of government-issued ID photocopies, financial account references, and health data in a single breach makes this incident more severe than typical email/password leaks — the exposure creates conditions for identity fraud that can persist for years.
Passport data is particularly problematic because travel documents have multi-year validity periods and cannot be quickly revoked or replaced without administrative burden on the affected individual.
Source: BleepingComputer — Eurail says December data breach impacts 300,000 individuals | The Record — Passport numbers leaked in Eurail breach